Re: Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)

[Dirk-WIllem van Gulik <di...@webweaving.org>]

Folks,

See below - for the 1.3 discussion - that suggest we should take it a notch down:

On 31 Aug 2011, at 22:35, Munechika Sumikawa wrote:

>>>> We're currently discussing this - and will propably adjust the
>>>> announcement a bit. It is vulnerable in that it can suddenly take a
>>>> lot more CPU, memory and resources when 'attacked'. And the response
>>>> is worse than pure linear. But unlike 2.0 and 2.2 it does not
>>>> exploded as exponential. So at this point I am expecting us to
>>>> conclude that 1.3 is 'as affected' as most other servers
>>>> implementing this protocol; not due to a fault in the code - but
>>>> more to a fault in the protocol desgin.
>>>> 
>>>> Does that make sense ?
>>> 
>>> Let me confirm the code.  Apache 1.3 allocates only several bytes per
>>> each "byte-range" to record first-pos and last-pos.  And the memory is
>>> released immediately after the HTTP session is disconnected.  Thus,
>>> it's impossible a cracker succeed to DoS 1.3x server with the paranoia
>>> range header.  Am I correct?
>>> 
>>> If so, IMO Apache 1.3's behavior should be normal case.  More
>>> complicated pattern based on the designed protocol eat up more
>>> resources than simpler pattern.  That always happens in any protocols.
>>> (e.g. IP fragmentation)
>>> 
>>> I think it's stll in scope of "linear" even though it's not "pure
>>> linear".

Which makes good sense. And looking at the default 1.3 configs on the standard platforms of that time - it is indeed not really apache which is at fault.

Dw.